Method for controlling access to data by redirecting modifications of the data

ABSTRACT

There is disclosed a method and apparatus for controlling access to and corruption of information in a computer system. In known “PC Virus” protection methods the boot partition becomes “Read Only” when the system is in Supervised Mode. However, Microsoft Windows, although not strictly self-modifying, does require that certain files located within the Windows directory, can be written to. Accordingly the present invention provides a method of controlling access to and modification of information stored on a storage medium forming part of a computer system comprising: dividing information stored on the storage medium into a plurality of non-overlapping partitions including a boot partition and at least one general partition, characterised by: designating at least one of said partitions a Write Many Recoverable (WMR) partition wherein, in use, if a write command is issued to overwrite any resident information stored in a/the WMR partition by updating information is written on the storage medium in a location other than where the resident information is stored and a (virtual) pointer to the updated information is set up/kept so that the updated information can be accessed, as required during a remainder of a session.

BACKGROUND OF THE INVENTION

[0001] The present invention relates to a method and apparatus forcontrolling access to and corruption of information in a computersystem.

[0002] PCT/GB91/00261 (WO91/13403) also by the present inventors (thecontent of which is incorporated herein by reference) discloses a methodand apparatus particularly concerned with the detection and containmentof hostile programs such as “virus” programs within computer systems. Inthis document there is disclosed a method of (and related apparatus for)controlling access to and modification of information stored on astorage medium forming part of a computer system comprising:

[0003] dividing information stored on the storage medium into aplurality of non-overlapping partitions, including a boot partition anda plurality of general partitions, each of the partitions being furtherdivided into a plurality of sectors, any designated subset of thegeneral partitions being active at any given time when the computersystem is in use, characterised by

[0004] providing supervising means (a Supervisor) separate of a centralprocessing unit (CPU) of the computer system and made inaccessible tothe user for controlling the performance of read, write and formatoperations upon the information stored on the storage medium so as toallow, restrict or prevent such operations- depending upon the type ofinformation stored within a sector and type and status of the partitionwithin which the sector is located,

[0005] the supervising means causing a reset to be required of thecomputer system should an attempt be made to perform a prohibited read,write or format operation, said reset causing memory to be cleared andthe operating system to be loaded.

[0006] In the invention disclosed in PCT/GB91/00261 the boot partitionbecomes “Read Only” when the system is in Supervised Mode. This preventsattack by a virus, whilst allowing execution of DOS utilities andprograms providing they are not self-modifying.

[0007] Since the conception of virus isolation according toPCT/GB91/00261 there have been changes and improvements to PC operatingsystems. These present certain limitations to the scope of the virusisolator invention. For example:

[0008] (1) Microsoft Windows, although not strictly self-modifying, doesrequire that certain files located within the Windows directory, can bewritten to.

[0009] (2) A system administrator may install an executable in the bootpartition without knowing it is self-modifying. If such an executable isinstalled in the boot partition self-modification of this program isattempted when the system is in Supervised Mode, the Supervisor willblock the write attempt and freeze the system.

[0010] (3) Microsoft Windows virtual memory manager may require writeaccess to either or both the Windows directory and the root directory ofthe boot partition.

[0011] (4) Network software may require access to the boot partition.

[0012] (5) In general, with a complex operating system, making the bootpartition ‘Read Only’ is restrictive and may cause incompatibility andhigh administration overhead.

[0013] It is an object of the present invention to obviate or mitigatethe aforementioned problems.

SUMMARY OF THE INVENTION

[0014] According to a first aspect of the present invention there isprovided a method of controlling access to and modification ofinformation stored on a storage medium forming part of a computer systemcomprising:

[0015] dividing information stored on the storage medium into aplurality of non-overlapping partitions including a boot partition andat least one general partition, characterised by

[0016] designating at least one of said partitions a Write ManyRecoverable (WMR) partition wherein, in use, if a write command isissued to overwrite any resident information stored in a/the WMRpartition by updated information the updated information is written onthe storage medium in a location other than where the/any residentinformation is stored and a (virtual) pointer to the updated informationis set up/kept so that the updated information can be accessed, asrequired during a remainder of a session.

[0017] A system reset causes the updated information, together with thelist of pointers to this information, to be cleared. This returns theWMR partition to it's original state as configured in Unsupervised Mode.

[0018] Providing such a WMR partition is virus-free to start with itwill be virus-free at the start of each new session.

[0019] Preferably a boot partition on the storage medium would be WMRprotected. A general partition could also be WMR protected should a userrequire it.

[0020] The basis of the method according to the first aspect of thepresent invention to achieve this is to set up a scheme in which theoriginal information stored in the WMR partition is keep unaltered andthat datawhich would normally overwrite it is stored securely elsewhereon the storage medium where it can be accessed as required during theremainder of a session. The scheme defines how this is done efficientlyin terms of minimal additional storage space and minimal reduction inthroughput time while at the same time providing maximum security.

[0021] Preferably according to the method of the first aspect of thepresent invention there is also provided supervising means (aSupervisor) separate of a central processing unit (CPU) of the computersystem and made inaccessible to the user,

[0022] said supervising means allowing/restricting/prohibitingread/write operations uopon the storage medium depending upon whetherinformation to be read from a sector or written to a sector is operatingsystem information or user information, whether the sector is in theboot partition or in a general partition, and whether the partition isactive or inactive,

[0023] said supervising means also allowing a format operation only on ageneral partition which is active and prohibiting a format operation onthe boot partition or on a general partition which is inactive,

[0024] and causing a warning to be issued to the user should an attemptbe made to perform a prohibited read, write or format operation.

[0025] Preferably, space is reserved on the storage medium which may beaccessed only by the Supervisor, referred to as the dedicated area 2.The dedicated area may be a special partition, a range of sectors withinthe WMR partition, or unallocated sectors withing a dormant partition.

[0026] Each WMR partition has a Sector Relocation Table (SRT) associatedwith it which table is held in Supervisor RAM, each entry in a SRTdefining the address of a range of sectors in the WMR partition thathave been updated and the address where the updated information islocated, this location being within the dedicated area.

[0027] According to a second aspect of the present invention there isprovided an apparatus for controlling access to and modification ofinformation stored on a storage medium of a computer system, the storagemedium being divided into a plurality of non-overlapping partitionsincluding a boot partition and at least one general partition,characterised in that

[0028] at least one of said partitions comprises a Write ManyRecoverable (WMR) partition wherein, in use, if a write command isissued to overwrite (ie, update) any information stored in the WMRpartition the updated information is stored elsewhere on the storagemedium and a pointer to this information kept so the information can beaccessed as required during the remainder of the session, wherein asystem reset causes the updated information, together with the list ofpointers to this information, to be cleared, thus returing the WMRpartition to its original state as configured in Unsupervised Mode.

[0029] Preferably the apparatus further comprises a supervising means (aSupervisor) separate of a central processing unit (CPU) of the computersystem and made inaccessible to the user,

[0030] said supervising means allowing/restricting/prohibitingread/write operations upon the storage medium depending upon whetherinformation to be read from a sector or written to a sector is operatingsystem information or user information, whether the sector is in theboot partition or in a general partition and whether if the partition isa general partition the partition is active or inactive,

[0031] said supervising means also allowing a format operation only on ageneral partition which i8s active and prohibiting a format operation onthe boot partition or on a general partition which is inactive,

[0032] the supervising means causes a warning to be issued to the usershould an attempt be made to perform a prohibited read, write or formatoperation said operation being prevented by the Supervisor.

[0033] According to a third aspect of the present invention there isprovided a method of controlling access to and modification ofinformation stored on a storage medium forming part of a computer systemcomprising:

[0034] dividing information stored on the storage medium into aplurality of non-overlapping partitions including a boot partition andat least one general partition, characterised by

[0035] designating at least one of said partitions a Write ManyRecoverable (WMR) partition wherein, in use, if a write command isissued to overwrite any information stored in a/the WMR partition priorto undertaking said write command said information is copied and storedelsewhere on the storage medium to be copied back to said WMR partitionwhen required—for example upon a system reset.

[0036] It is apparent that according to the third aspect of the presentinvention a previously “Read Only” partition, such as the bootpartition, is permitted to be written to without limit during a session.At the start of a new session, however, all changes to the partition areundone and the partition is restored to its original state. Thispartition may, therefore, be called a Write Many Recoverable (WMR)partition. Provided such a partition is virus-free to start with it willbe virus-free at the start of each new session.

[0037] The basis of the method of the third aspect of the presentinvention to achieve this is to set up a scheme in which a copy of any“cluster” in the WMR partition that is to be over-written is storedsecurely elsewhere on the storage medium and can be copied back whenrequired. The scheme defines how this is done efficiently in terms ofminimal additional storage space and minimal reduction in throughputtime while at the same time providing maximum security.

[0038] Preferably according to the method of the third aspect of thepresent invention there is also provided supervising means (aSupervisor) separate of a central processing unit (CPU) of the computersystem for controlling the performance of read, write and formatoperations upon the information stored on the storage medium so as toallow, restrict or prevent such operations depending upon the type ofinformation stored within a sector and type and status of the partitionwithin which the sector is located,

[0039] the supervising means causing a reset to be required of thecomputer system should an attempt be made to perform a prohibited read,write or format operation, said reset causing memory to be cleared andthe operating system to be loaded.

[0040] Preferably, the storage medium provides a special partition(Virus Isolation Space), each WMR partition having a File AllocationTable (FAT) allocated to it which table is held in said specialpartition, each entry in a FAT defining the address of a cluster thathas been altered in the WMR partition and the address of the copy of theinformation originally held in said cluster.

[0041] The information originally held in said cluster may be copied tothe special partition.

[0042] Alternatively, the information originally held in said clustermay be copied to an inactive partition.

[0043] According to a fourth aspect of the present invention there isprovided an apparatus for controlling access to and modification ofinformation stored on a storage medium of a computer system, the storagemedium being divided into a plurality of non-overlapping partitionsincluding a boot partition and at least one general partition,characterised in that

[0044] at least one of said partitions comprises a Write ManyRecoverable (WMR) partition wherein, in use, if a write command isissued to overwrite any information stored in a/the WMR partition priorto undertaking said write command said information is copied and storedelsewhere on the storage medium to be copied back to said WMR partitionwhen required—for example upon a system reset.

[0045] Preferably the apparatus further comprises a supervising means (aSupervisor) separate of a central processing unit (CPU) of the computersystem for controlling the performance of read, write or formatoperations stored on the storage medium so as to allow, restrict orprevent such operations depending upon the type of information storedwithin a sector and the type and status of the partition within whichthe sector is located wherein, in use, the supervising means causes areset to be required of the computer system should an attempt be made toperform a prohibited read, write or format operation.

[0046] According to any of the foregoing method aspects of the presentinvention read operations may be allowed on any information in the bootpartition, but an attempt to write or format the boot partition maycause a system reset.

[0047] Further, boot sectors of the storage medium may be considered tobe part of the boot partition, irrespective of the position of thestarting sector of the boot partition as may be defined by the storagemedium operating system.

[0048] Also, reading of any operating system information sectors oruser-generated information sectors in an active general partition may beallowed, writing to such user-generated information sectors may beallowed, and writing to such operating system information sectors may berestricted such that an attempt to modify the size or boundaries of thepartition causes a system reset.

[0049] Only the reading of information from operating system sectors ofinactive general partitions may be allowed, and an attempt to performany other read, write or format operations on such partitions may beeither denied or causes a system reset.

[0050] The restriction or prevention of the performance of read, writeand format operations can be removed to allow set-up or maintenance ofthe storage medium and thereafter reinstated.

[0051] The storage medium may be selected from any one of a hard disk, afloppy disk, an optical disk or a tape.

[0052] Alternatively, the storage medium may be a filesaver, and thecomputer system is a local area network, and which user computer isusing which partition of the fileserver may be determined such that anattempt by a user computer to perform a prohibited operation causes areset to be required of the user computer.

[0053] According to any of the foregoing apparatus aspects of thepresent invention the apparatus may provide hardware means adapted to beincorporated into the computer system.

[0054] Alternatively, the apparatus may provide firmware means adaptedto be incorporated into the computer system.

[0055] Alternatively, the apparatus may provide a combination of bothhardware and firmware means, both being adapted to be incorporated intothe computer system.

[0056] There may be provided a processor which may be made inaccessibleto a user and to any virus and which supervises all data transfersbetween and within sub-divisions of the storage medium or storage mediaplaced under its control.

BRIEF DESCRIPTION OF THE DRAWINGS

[0057] Embodiments of the present invention will now be described, byway of example only, with reference to the accompanying drawings, whichare:

[0058]FIG. 1 a schematic diagram showing the division of a storagemedium for use in a first embodiment of the present invention;

[0059]FIG. 2 a flow chart showing the sequence of events should thecomputer system wish to write to a Write Many Recoverable (WMR)partition used in the embodiment of FIG. 1;

[0060]FIG. 3 a flow chart showing the squence of events should acomputer system wish to read from a Write Many Recoverable (WMR)partition;

[0061]FIG. 4 a schematic diagram showing the division of a storagemedium for use in the present invention;

[0062]FIG. 5 a flow chart showing the sequence of events should thecomputer system wish to write to a Write Many Recoverable (WMR)partition used in the embodiment of FIG. 4;

[0063]FIG. 6 a schematic block diagram of a hardware arrangement of afirst emobdiment of a Supervisor for use in the present invention.

[0064]FIG. 7 a schematic block diagram of a hardware arrangement of asecond embodiment of a Supervisor for use in the present invention; and

[0065]FIG. 8 a schematic circuit diagram of an actual embodiment of theSupervisor of FIG. 7.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0066] The set-up and operation of the present invention is bestunderstood by describing the various stages of operation involved. Theembodiments of the invention hereinafter described beneficially includea Supervisor of the type disclosed previously in PCT/GB91/00261. Thecontents of PCT/GB91/00261 (WO 91/13403) are, therefore, incorporatedherein by reference.

[0067] Referring firstly to the first emobidment of FIGS. 1 and 2:

[0068] 1.1 Initial Connection

[0069] When a storage medium 1 (such as a hard disk) is first connectedto a computer system (not shown), space that will be inaccessible to theuser, ie, a dedicated area, is reserved on the storage medium 1.

[0070] A password is entered and stored in either the dedicated area 2or in Supervisor Flash ROM (FIG. 4,13). This password is later used toallow the system to be put into Unsupervised Mode.

[0071] 1.2 Unsupervised Mode

[0072] Entering this mode requires the use of the Unsupervised Modepassword (reference PCT/GB91/00261). When the system is in this mode, adefault partitioning scheme will be offered, although it may bere-configurable by the user.

[0073] (a) Typically the default scheme could consist of the followingpartition types: Read Only (RO), Write Many Recoverable (WMR) 3, and‘general’ 4. A general partition is simply a partition other than an ROor WMR partition and one which may be written to. Each WMR partitionwill have a Sector Relocation Table (WMR-SRT) associated with it whichwill be held in Supervisor RAM (FIG. 4,14). In use, each entry in theWMR-SRT defines the address of a range of sectors which are updates ofsectors within a WMR partition and includes a pointers to said range ofupdated sectors. Each partition could be allocated a default partitiontype based on general guidelines. For example, Partition C=WMR;Partition D=RO; all other partitions=General; partition descriptorsgiven by their partition label.

[0074] (b) The user may define a description string for each partition,defining its contents.

[0075] (c) The invention will permit the user if he wishes to revise (a)and (b) and add partitions, change partition boundaries and define thepartition type for each partion.

[0076] 1.3. Supervised Mode

[0077] (a) It is important to note that when a user powers down at theend of a session in Supervised Mode the WRM-SRT is discarded, removingall pointers to updated sectors. An empty WMR-SRT returns the WMRpartition to its original state, which reflects the WMR partition stateafter the last change made when the system was in Unsupervised mode.

[0078] (b) The WMR-SRT is initialised ready for use.

[0079] (c) Partition bounds and number of partitions are checked againsta table stored in either the dedicated area 2 or in Supervisor Flash ROM(FIG. 4,13). If during Unsupervised Mode, the user has altered theconfiguration of partitions without re-configuring this table, thenSupervised Mode may be denied until this is rectified. Alternatively,the table may be generated each time the user enters Supervised Mode,using a scheme which does not require user intervention.

[0080] (d) The user is prompted to select a partition, for normalreading and writing, from the list of general partitions. This is doneprior to any operations of the operating system and storage medium 1.The selected partition is defined as the ‘active partition’ and theremaining general partitions are defined as ‘dormant’ partitions. Theactive partition will continue to be active until the session isfinished. A new session can be started when the user re-entersSupervised Mode, through resetting the system thereby clearing systemRAM.

[0081] (e) As a refinement to the above at the start of a session, auser may be prompted to provide a username or password which may becompared with data in the dedicated area 2. The user may then berestricted to a subset of the general partitions from which he canselect an active partition.

[0082] (f) The user is given full access to all WMR and RO partitions(and of course to the selected active partition).

[0083] 4. Accessing a WMR Partition

[0084] As noted already, a WMR-SRT has been defined for each WMRpartition 3, and stored in the dedicated area 2.

[0085] (a) During operation of the invention, it may be that a range ofsectors may require to be updated in the WMR partition 3. When thishappens, the Supervisor (not shown) generates an entry in the WMR-SRTwhich defines the range of sectors that are to be updated and has set apointer to the location (in the dedicated area) where said updatedsectors will be written. The original, unmodified sectors remain intheir original location.

[0086] (b) The updated sectors may be stored elsewhere in the storagemedium, within the dedicated area. This dedicated area may be a specialpartition. Alternatively, the dedicated area could be located dedicatedarea could be located within a dormant partition. Since the dormantpartitions cannot be accessed by a user during the session it is safe touse unallocated sectors which may be released before a new session isbegun. This is illustrated in FIG. 1.

[0087] (c) The Supervisor follows the flow diagram shown in FIG. 2whenever a request is made to write to a WMR partition 3.

[0088] (d) The Supervisor follows the flow diagram shown in FIG. 3whenever a request is made to read from a WMR partition 3.

[0089] (e) An alternative scheme for implementing a WMR partition ispossible where write operations to said partition cause the originalsectors to be copied to a secure location before allowing the writeoperation to complete. At the start of each session the original sectorsare copied back into their original locations within the WMR partition,returning said partition to its original state.

[0090] Referring now to the second embodiment to FIGS. 4 and 5:

[0091] 2.1. Initial Connection

[0092] When a storage medium 101 (such as a hard disk) is firstconnected to a computer system (not shown), space that will beinaccessible to the user is reserved on the storage medium 101. Thisspace is a special partition and can be called Virus Isolator Space 102.

[0093] A password is entered and stored in Virus Isolation Space 2. Thispassword is later used to allow the system to be put into UnsupervisedMode.

[0094] 2.2 Unsupervised Mode

[0095] This mode requires the use of the Unsupervised Mode password(reference PCT/GB91/00261). When the system is in this mode, the usercan configure both the system and the Virus Isolator Space 102.

[0096] (a) The user may define, for each partition, whether thepartition is to be Read Only (RO) (not shown), Write Many Recoverable(WMR) 103, or ‘general’ 104. A general partition is simply a partitionother than an RO or WMR partition and one which may be written to. EachWMR partition will have a File Allocation Table (WMR-FAT) allocated toit which will be held in Virus Isolation Space 102. In use, each entryin the WMR-FAT will define the address of a cluster that has beenaltered within a WMR partition and will include a pointer to a copy ofthe original unaltered cluster.

[0097] (b) The user may define a description string for each partition,defining its contents.

[0098] (c) When partitions are added or boundaries altered, the user mayrevise (a) and (b). If the user is not forced by the system to do this,a default will be adopted, such as ‘General’ status and ‘Partition 104’.

[0099] The exact housekeeping that is required need not be defined sincethe scheme will work without the user's intervention, provided certaingeneral guidelines are provided. For example, Partition C=WMR; all otherpartitions=general; partition descriptors given by their drive letter.

[0100] 2.3 Supervised Mode

[0101] (a) All WMR partitions 103 are restored to their original stateby reference to their WMR-FAT in Virus Isolator Space 102. Forconsistency, this also happens when entering Unsupervised Mode.

[0102] Each WMR-FAT entry contains a pointer to (ie address of) analtered cluster within the WMR partition 102 and a pointer to a copy ofthe original cluster. Hence, at the start of each session, the followingprocedure is all that is required in order to restore the WMR partition102:

[0103] For each WMR-FAT entry:

[0104] Copy original cluster back to its location in the WMR partition102 (copy cluster ‘X’ to cluster ‘A’ as shown in FIG. 1);

[0105] Delete the WMR-FAT entry. (Note: A power cut or system crashduring this sequence will not affect the capability to restore theoriginal WMR partition although the procedure may have to be repeated.)

[0106] (b) The WMR-FAT(s) are initialised ready for use.

[0107] (c) Partition bounds and number of partitions are checked againsta table stored in Virus Isolator Space 102. If during Unsupervised Mode,the user has altered the configuration of partitions withoutre-configuring Virus Isolator Space 102, then Supervised Mode may bedenied until this is rectified.

[0108] (d) The user is prompted to select a partition, for normalreading and writing, from the list of general partitions. This is doneprior to any operations of the operating system and storage medium 101.The selected partition is defined as the ‘active partition’ and theremaining general partitions are defined as ‘dormant’ partitions. Theactive partition will continue to be active until the session isfinished. A new session can be started when the user re-entersSupervised Mode, through clearing the system RAM and resetting thesystem.

[0109] (e) As a refinement to the above at the start of a session, auser may be prompted to provide a username or password which may becompared with data in Virus Isolator Space 102. The user may then berestricted to a subset of the general partitions from which he canselect an active partition.

[0110] (f) The user is given full access to all WMR and RO partitions(and of course to the selected active partition).

[0111] 4. Accessing a WMR Partition

[0112] As noted already, a WMR-FAT has been defined for each WMRpartition 103, and stored in Virus Isolator Space 102.

[0113] (a) During operation of the invention, it may be that a clustermay require to be altered in the WMR partition 103. When this happens,the Supervisor (not shown) generates an entry in the WMR-FAT whichdefines the cluster that is about to be modified and has a pointer to acopy of the original.

[0114] (b) The copy of the original cluster may be stored elsewhere inthe storage medium. For example, it could be stored in a dedicated areareserved for that purpose such as a special partition or an area inVirus Isolator Space 102. Alternatively, the original cluster could befound temporary space within a dormant partition. Since the dormantpartitions cannot be accessed by a user (and therefore by a virus)during the session the original cluster is safe and may be releasedbefore a new session is begun. This is illustrated in FIG. 1.

[0115] (c) The Supervisor follows the flow diagram shown in FIG. 2whenever a write request is made to a WMR partition 103.

[0116] Referring now to FIG. 6 there is illustrated a block diagram of ahardware arrangement suitable for implementing a first embodiment of aSupervisor for use in an embodiment of the present invention. TheSupervisor provides a typical bus interface 7 to a mother board of aperson computer (PC) or the like, and Read Only Memory (ROM) 2containing an appropriate BIOS (Basic Input/Output System) driver tocontrol mode entry at the start of each session.

[0117] The Supervisor is designed to reside between the disk interfaceof the PC and the disk drive. The PC connects to the Supervisor througha ribbon cable 201 from the Integrated Device Electronics (IDE) bus ofthe PC. The Supervisor then connects with a disk drive over a secondribbon cable 202 which also behaves as an IDE bus. All communicationbetween the PC and the hard disk is controlled by the Supervisor.

[0118] The Supervisor hardware includes a microprocessor 216, Read OnlyMemory (ROM) 213, holding a Supervisor Operating System and a controlprogram, and Random Access Memory (RAM 214), which is a scratch memoryused to hold parameters and WRM-SRT(s).

[0119] A dual port RAM 210 provides memory which both the PC andSupervisor processor can access. The Supervisor may use this memory toreflect IDE task registers.

[0120] Transceivers 206, 209 and multiplexors 205 allow either the PC orthe Supervisor processor to access the disk drive. The Supervisorcontrols which of these has access. Latches 207, 208 allow theSupervisor, which has an 8 bit bus, to read and write 16 bit values toand from the disk drive.

[0121] A logic block 212 contains a latch which may be written to by theSupervisor processor. The value of this latch is compared with the PCinterface upper address bus, and the BIOS 211 is only enabled when thesematch. This allows the BIOS to be configured, through the Supervisor, toappear anywhere in the lowest megabyte of PC address space.

[0122] A logic block 215 maps ROM 213, RAM 214 and dual port RAM 210into the Supervisor processor address space. it also controls the accessto latches 207, 208 and within logic block 212.

[0123] A logic block 204 ensures that control signals that pass betweenthe PC and disk drive are correctly buffered and that they are inhibitedwhen the Supervisor processor is connected to the disk drive.

[0124] A logic block 203 ensures that the communication between the Pcand the disk drive is under the control of the Supervisor. It monitorsand controls read and write commands to task file registers on the diskdrive. The Supervisor processor is made aware of critical operationswhich are being attempted and controls whether the operation isprogressed, prevented or the request modified. This is implemented bydecoding off the PC address lines together with read and write controlsignals. Certain read and write attempts cause a Supervisor processorinterrupt to be generated. The Supervisor will then act based on thechange. Disk drive interrupts are also routed first to the Supervisorprocessor where they can be passed on to the PC as required.

[0125] Inspection of FIG. 4 clearly shows that a virus can neverinterfere with the Supervisor microprocessor 216 since it is only ableto fetch executable code from its own ROM 213.

[0126] A more detailed description of the embodiment of the Supervisorshown in FIG. 6 is not given herein, as this would be within the normalundertaking of a person skilled art.

[0127] Referring now to FIG. 7 there is illustrated a block diagram of ahardware arrangement suitable for implementing a second embodiment of aSupervisor for use in an embodiment of the present invention. TheSupervisor provides a typical hard disk adaptor card interface 310 to amother board of a person computer (PC) or the like, and Read Only Memory(ROM) 312 containing an appropriate BIOS (Basis Input/Output System)driver for operation of the hard disk.

[0128] The Supervisor hardware includes a microprocessor 314 and atransceiver 316, which allow the PC restricted access to a SCSI 318 suchthat the PC cannot directly select or arbitrate for the disk drive orissue commands over the SCSI interface 318. These operations can beperformed only by the Supervisor microprocessor 314, which communicatesbidirectionally with the PC using status in/out ports 320 and 322.

[0129] Communication between the microprocessor 314 and the SCSIinterface 318 takes place via the bidirectional ports of a secondtransceiver 324. The Supervisor also includes its own Read Only Memory(ROM) 326, holding a Supervisor Operating System and a control program,and Random Access Memory (RAM) 328, which is a scratch memory used tohold parameters. Reset logic 330 is also provided, and is used forclearing the PC memory if and when an attempt is made to perform anoperation prohibited by the Supervisor.

[0130] Referring to FIG. 8 there is shown a schematic diagram of anactual embodiment of the Supervisor with the integers numberedidentically to those of FIG. 7.

[0131] The embodiments of FIG. 8 further includes the followingcomponents: Gate Array Logic (GAL) devices G1-G5; buffers B1, B2; andflip-flops 74,1(1), 74,1(2) and 74,2(2).

[0132] The function of these components is as follows. G1 maps the ROMBIOS into the IBM memory map, and also provides tristate connection ofthe output of flip-flop 74,2(2) to the IBM data bus.

[0133] G2 provides access by the IBM to a subset of the SCSIcontroller's internal registers by mapping them into the IBM I/O space.G2 further provides pseudo-DMA decoding logic for data transfer to/fromthe SCSI controller, and maps a flag, ie. flip-flop 74,2(2) and latch P1into the IBM I/O space.

[0134] G3 multiplexes between the Supervisor and IBM address buses, tothe SCSI controller address bus.

[0135] G4 multiplexes between the Supervisor and IBM control lines tothe SCSI controller. G4 also enables either (but never both) transceiverT1, T2, and includes logic for possible wait state during data transfersbetween the IBM and the SCSI controller.

[0136] G5 maps all ports in the Supervisor I/O space: Latches P1, P2,SCSI reset line and flip-flops 74,1(2) and 74,2(2). G5 further maps ROMinto the Supervisor memory map, and provides tristate connection ofoutput of flip-flop 74,2(2) to the Supervisor data bus.

[0137] The buffers B1, B2 ensure that there can be only one gatedraining current from the IBM Backplane for each of the address, IOR andIOW lines.

[0138] Flip-flop 74,1(1) divides the clock frequency by two and squaresup the pulses. Dependent on the output of 74,1(2), either the IBM hasaccess (restricted) or the Supervisor has access, to the SCSIcontroller.

[0139]74,2(1) provides part of the timing for wait state generationduring SCSI date transfer, while 74,2(2) is a flag to indicate that adata byte has been sent by the IBM for the attention of the Supervisor.

[0140] The components of the embodiment of FIG. 4 are as follows. GAL'sG1-G5 are of the type SCS Thomson GAL 16V8-15 ns; flip-flops 74,1(1),74,1(2), 74,2(1) and 74,2(2) are of the type 74ALS74; buffers B1, B2 are74ALS244's; latches P1; P2 are 74ALS373's; transceivers T1, T2 are74F245's; the processors 14 is a Zilog Z84C50 (10 MHz); the ROM 12 a2764A (8 k×8); and the SCSI controller 18 a NCR 5380.

[0141] Inspection of FIG. 8 clearly shows that a virus can neverinterfere with the Supervisor microprocessor 314 since it is only ableto fetch executable code from its own ROM 326.

[0142] A more detailed description of the embodiment of the Supervisorshown in FIG. 8 is not given herein, as this would be within the normalundertaking of a person skilled art.

[0143] The embodiments of the present invention hereinbefore are givenby way of example only, and are not meant to limit the scope thereof inany way.

[0144] It should be appreciated that the present invention seeks toalleviate the problems hereinbefore outlined in the prior art withlittle penalty in terms of storage or performance overhead. Thisinvention allows a “Supervised” user full read and write access to theboot partition, whilst ensuring at the start of each session on thecomputer system that the boot partition is clean, virus-free andunmodified. This addresses the problems outlined above, whiles allowingmaintenance of the complete virus protection disclosed inPCT/GB91/00261.

[0145] It may be envisaged that a user may wish to maintain changesbetween sessions. In that case, the user could create a batch file whichstores the altered files in the active partition, prior to shutdown. Atthe start of the new session these files could replace the originals inthe WMR partitions.

What is claimed is:
 1. A method of controlling access to andmodification of information stored on at least part of a non-volatilestorage medium forming part of a computer system, the method comprising:in response to a write command being issued to overwrite any residentinformation stored in said part of the storage medium with updatedinformation, restricting modification of information stored in said partof the storage medium by (i) writing the updated information on thestorage medium in a location other than where any resident informationis stored, and (ii) setting up and keeping a pointer to the updatedinformation; providing access to information stored in said part of thestorage medium, the updated information being accessed, as required,using said pointer; and subsequently clearing said pointer therebyreturning said part of the storage medium to its original state.
 2. Amethod as claimed in claim 1, wherein a system reset causes thepointer(s) to be cleared.
 3. A method as claimed in claim 1, whereinsaid part of the storage medium comprises a boot partition on thestorage medium.
 4. A method as claimed in claim 1, wherein said part ofthe storage medium comprises a general partition.
 5. A method as claimedin claim 1, further comprising supervising means separate from a centralprocessing unit (CPU) of the computer system and made inaccessible tothe user, said supervising means performing said steps of restrictingmodification of and providing access to information stored in said partof the storage medium.
 6. A method as claimed in claim 5, wherein saidsupervising means allows a format operation only on a general partitionwhich is active and prohibiting a format operation on the boot partitionor on a general partition which is inactive, and causes a warning to beissued to the user should an attempt be made to perform a prohibitedoperation.
 7. A method as claimed in claim 5, wherein space referred toas a dedicated area is reserved on the storage medium, which space isaccessed only by the supervising means.
 8. A method as claimed in claim7, wherein the dedicated area is a part of the storage medium whereinaccess is restricted.
 9. A method as claimed in claim 7, wherein for thestorage of said pointer(s) said part of the storage medium has a SectorRelocation Table (SRT) associated with it, each entry in the SRTdefining the address of a range of sectors in said part of the storagemedium that have been updated and an address where the updatedinformation is located within the dedicated area.
 10. A method asclaimed in claim 1, wherein read operations are allowed on anyinformation in the boot partition, but an attempt to write or format theboot partition causes a system reset.
 11. A method as claimed in claim10, wherein boot sectors of the storage medium are considered to be partof the boot partition, irrespective of the position of the startingsector of the boot partition as may be defined by the storage mediumoperating system.
 12. A method as claimed in claim 11, wherein readingof any operating system information sectors or user-generatedinformation sectors in an active general partition is allowed, writingto such user-generated information sectors is allowed, and writing tosuch operating system information sectors is restricted such that anattempt to modify the size or boundaries of the partition causes asystem reset.
 13. A method as claimed in claim 11, wherein only thereading of information from operating system sectors of inactive generalpartitions is allowed, and an attempt to perform any other read, writeor format operations on such partitions is denied.
 14. A method asclaimed in claim 13, wherein the restriction of the performance of read,write and format operations can be removed to allow set-up ormaintenance of the storage medium and thereafter reinstated.
 15. Amethod as claimed in claim 1, wherein the storage medium is any one of ahard disk, a floppy disk, an optical disk and a tape.
 16. A method asclaimed in claim 1, wherein the storage medium is located in afileserve, and the computer system is a local area network, and whereinan attempt by a user computer to perform a prohibited operation causes areset to be required of the user computer.